Apple’s patch release policy is a concern for enterprise IT

A report at Computerworld cites security researchers who feel that Apple's patch release policy is a major stumbling block for increased adoption in enterprise IT. Apple tends to release OS, application, and security updates when they are available, with little or no warning to IT professionals. This is in stark contrast to Microsoft, which releases security patches like clockwork—on the second Tuesday of every month—and usually limits other updates to twice a month.

There are really two sides to this coin. The obvious downside is that planning a rollout of updates to a large amount of systems requires time and resources. "If you can't properly plan for this, you're in a constant firefighting mode," said Andrew Storms, director of security operations at vendor nCircle Network Security Inc, in an interview with Computerworld. "[I]t's affecting the management of the IT team."

Charlie Miller, a researcher at Baltimore-based Independent Security Evaluators, told Computerworld that unscheduled patches could also cause some business to not patch at all. "The last thing they want is a patch that just shows up. They can't patch without testing. So this is one more reason for them to go, 'I just won't patch,'" he said.

The upside, however, is that releasing patches when they are available reduces chances of a vulnerability being exploited and affecting users. Tom Johnson, a system administrator at Purdue University responsible for Mac IT, says that Apple's releases doesn't preclude an IT organization from making its own patching plan. "In my opinion, it does make it harder to plan your time, since you don't know when updates will come out. However, even if Apple chooses not to have a regular schedule, as an organization you can choose to [have your own]," he told Ars. "How is it different if Apple artificially delays an updates to meet [its] regular schedule?"

"If Apple should be compared with other vendors, take the other Unix vendors," Swa Frantzen of the SANS Institute's Internet Storm Center told Computerworld. "Sun, HP, FreeBSD, OpenBSD, the different Linux distributions—very few of them group together patches in a monthly cycle."

My own experience with Macs in many businesses is that end users are often left with little or no support from IT at all. So the more experienced tend to apply patches as Apple releases them, relying on notices from Software Update, while other simply ignore Software Update altogether.

Different businesses have different needs. "Business IT shops and university IT shops are on completely different schedules," said Johnson. "It doesn't matter to me if updates come out on the 2nd week of every month, because we are very reluctant to make changes during the semester unless they are needed security fixes or fix ongoing problems." But, he adds, "People like predictability. Large organizations seem to like regular schedules and plans, even if they don't really matter or they could create them on their own."

As usual, it seems Apple could benefit from at least some modicum of transparency. While keeping some product secrets from the general public may still be a winning PR strategy, having a way to communicate with IT professionals about future software updates would be wise and could offer a good compromise. As Johnson told us, "It is true that it could be kind of nice to know when updates are coming—even just a rough window, not exact dates." Such a compromise between the two strategies could give larger IT organizations enough latitude to have a tentative plan ready when updates arrive.